Tag: malware infection

Security Vulnerability found in Google Chrome Running on Windows

The most secure features of Google Chrome, including Sandbox, ASLR and DEP, were simply bypassed by VUPEN security researchers. The vulnerability is for the most latest version of Google Chrome (v11.0.696.65) for Windows.

The vulnerability is found to be impacting all Windows based computers running 32 bit as well as 64 bit OS. The vulnerability was exploited by just making the user visit a specially prepared web page containing a sophisticated code that will execute various payloads to ultimately download and start any program. The program runs silently without even crashing Google Chrome after executing the payload. The program launches outside the sandbox but at medium integrity level. However, most malware today doesn’t necessarily need to have a high integrity level to run.

As the vulnerability is not publicized, Chrome users can stay out of panic.

Linux Routers Targeted by Tsunami Malware

Ever thought Linux is invulnerable and robust against malware attacks? then its time to rethink. Security researchers at TrendMicro found malware that can exploit routers based on Linux and Unix platforms. The malware, though was said to be predominantly found in Latin America, has possibilities of spreading to other regions.

Potential of the threat
As per the source: the malware code, found to be ELF_TSUNAMI.R, has high damage potential though the distribution potential and overall risk are rated to be low. This code operates as an .ELF file through Linux IRC (Internet Relay Chat) backdoor program and performs brute force attacks via multiple login attempts onto the router or exploit the router. The attacker can also disable the firewall on the compromised router, leaving the network susceptible to more attacks.

How it works?
The attacker drops an .ELF file containing the ELF_TSUNAMI.R code into the router. This might be dropped by other malware or unknowingly downloaded by a user in the network, while visiting a malicious website. This creates a backdoor on the router through which the attacker can send and execute commands via an Internet Relay Chat (IRC) server.

The vulnerability in D-Link routers
Currently, D-Link routers are found to be existing with the remote authentication bypass vulnerability. Due to this vulnerability, the attacker can download the ‘config.xml’ file without requiring normal authentication requirements. This file contains complete configuration details of the device as well as usernames and passwords of the users listed in the device. When the attacker has the file, he can simply take over the admin privileges of the affected router and the subnet under it. The details of firmware versions with vulnerabilities can be found at http://www.juniper.net/security/auto/vulnerabilities/vuln13679.html.


Nasdaq System Faces Malware Attack

The company that owns Nasdaq Stock market, recently informed that a malware attack was identified on its servers. The story was first posted on Wall Street Journal. The Nasdaq trading was not affected as the attackers’ target was information from the boards of directors of publicly traded companies.

Going into the details, few suspicious files were found on the U.S servers by the Nasdaq OMX group, who then confirmed a breach in their systems. The breach was found to be through their Web-based collaboration platform – Directors Desk, a system offered by NASDAQ with about 10,000 users worldwide and is operated separately from Nasdaq’s trading platform.

The FBI and DOJ, together are investigating the issue for over a year to find out on how the malicious files were stored inside Directors Desk system. The intent of the hackers was unknown but as per the reports, the program allowed the designers of the software to see what items and messages were being shared via the Directors Desk platform. According to Directors Desk’s website, the application is used by 10,000 directors at Fortune 500 sized companies. Not surprising, on why the system was targeted.

On a side note, the website of the Directors Desk claims to have its security standards complying with ISO27001.


Being Secure from Drive-by Malware

Despite high levels of investment on security tools like firewall, anti-malware, etc and precaution measures like safe browsing, etc many Internet users still fail to keep their PCs from getting infected. This can be attributed to the lower awareness levels on the increasing types of malware which evolve with new tactics and also negligence in updating the application software of PC regularly. Drive-by malware is one such type of malware which infects a PC through vulnerabilities of the outdated applications installed.

What is Drive-by malware?
Drive-by malware mostly uses vulnerabilities in the web browser, browser plug-ins or a security hole in applications like Adobe Reader, etc to infect a PC. Drive-by malware is a malicious code that downloads when visiting an infectious website, opening an attachment to a spam e-mail or by clicking on a deceptive pop-up window. Often, this arbitrary code downloads and executes in the PC even without the knowledge or permission of the user.

Infected websites major source of malware
Despite avoiding illegitimate and suspicious URLs, one can be still be prone to online malware attacks. A recent report from Symantec says that 90% of all websites used to spread malware or launch attacks against users are legitimate ones that have been infected. Often most of the webmasters or owners of these infected websites will not be aware of the infection. This generally occurs due to usage of old vulnerable Web server software which can easily get exploited by a malicious ad distributed through an advertising network, and other means. According to Websense Security Lab, the number of websites with malicious software grew 225% in the last six months of 2009 alone and that most websites with malicious code are legitimate sites that have been hacked.

Since the owner of the website itself is not aware of the infection, the users will be unknowingly opening the legitimate-but-infected site and get their PC infected with drive-by or any such malware.

Avoid reading PDF documents in browsers
adobe-pdfAdobe Reader is the most popular PDF reader software today. However, it is also one of the mostly exploited software. According to researchers at the Georgia Institute of Technology and California-based SRI International, Adobe Reader attracted almost three times as many attempts by drive-by malware as the other programs. Thus, it is important to keep the Adobe Reader updated regularly. Despite regular updates of this PDF reader you might still be at the risk of its latest vulnerabilities. Thus, it is recommended to avoid opening PDF documents in web browser.

Other Applications that can be vulnerable
Researchers found that apart from Adobe Reader, the most frequently targeted applications of drive-by download exploitation are Sun Java and Adobe Flash. Firefox 3 had a lower browser infection rate than all versions of Internet Explorer. PCs using Microsoft’s Internet Explorer 6 are very likely to get infected by drive-by attacks. Microsoft has recently reported the instance of hackers hijacking PCs with drive-by attacks by exploiting security flaws of IE 6 and IE 7. However, IE 8 is said to be immune to the attacks.

Keep your Software updated
Keeping your system updated is the most important factor in protecting yourself against drive-by malware as it mostly exploits unpatched security holes of software applications. Users having PCs with Windows should check for patches and update their Operating System regularly. Updating all other applications like PDF reader, web browsers, plugins, etc is also as important for maintaining the immunity of the PC.

The malware existing in Internet today has become hyperactive in infecting the PCs. Even a small mistake, like neglecting the updates, in this scenario may take a big toll. Regular updation and abandoning usage of old vulnerable software is the best way to protect your PC against drive-by malware.